Solaris Security Toolkit 4.2 Reference Manual

Transcription

1 Solaris Security Toolkit 4.2 Reference Manual Sun Microsystems, Inc. Part No July 2005, Revision A Submit comments about this document at:

2 Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and in other countries. This document and the product to which it pertains are distributed under licenses restricting their use, copying, distribution, and decompilation. No part of the product or of this document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, Sun BluePrints, Solaris, SunOS, Java, iplanet, JumpStart, SunSolve, AnswerBook2, Sun Enterprise, Sun Enterprise Authentication Mechanism, Sun Fire, SunSoft, SunSHIELD, OpenBoot, and Solstice DiskSuite are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and in other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and in other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. ORACLE is a registered trademark of Oracle Corporation. The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun s written license agreements. U.S. Government Rights Commercial use. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements. DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, Californie 95054, Etats-Unis. Tous droits réservés. Sun Microsystems, Inc. a les droits de propriété intellectuels relatants à la technologie qui est décrit dans ce document. En particulier, et sans la limitation, ces droits de propriété intellectuels peuvent inclure un ou plus des brevets américains énumérés à et un ou les brevets plus supplémentaires ou les applications de brevet en attente dans les Etats-Unis et dans les autres pays. Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l autorisation préalable et écrite de Sun et de ses bailleurs de licence, s il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun. Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, Sun BluePrints, Solaris, SunOS, Java, iplanet, JumpStart, SunSolve, AnswerBook2, Sun Enterprise, Sun Enterprise Authentication Mechanism, Sun Fire, SunSoft, SunSHIELD, OpenBoot, and Solstice DiskSuite sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. ORACLE est une marque déposée registre de Oracle Corporation. L interface d utilisation graphique OPEN LOOK et Sun a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d utilisation visuelle ou graphique pour l industrie de l informatique. Sun détient une license non exclusive de Xerox sur l interface d utilisation graphique Xerox, cette licence couvrant également les licenciées de Sun qui mettent en place l interface d utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun. LA DOCUMENTATION EST FOURNIE "EN L ÉTAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFAÇON.

3 Contents Preface xxxi 1. Introduction to Solaris 10 Operating System Support 1 Using Perl With Solaris Security Toolkit 4.2 Software 1 SMF and Legacy Services on Solaris 10 OS 2 Scripts That Use the SMF-Ready Services Interface 3 Scripts That SMF Recognizes as Legacy Services 4 New Scripts for Solaris Security Toolkit 4.2 Release 5 Scripts Not Used for Solaris 10 6 Environment Variables Not Used for Solaris 10 6 Using Solaris 10 OS Zones 7 Sequence Matters in Hardening Global and Non-Global Zones 7 Harden a Non-Global Zone From Within That Zone 7 Some Scripts Are Not Relevant to Non-Global Zones 8 Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones 8 Zone-Aware Finish and Audit Scripts 9 Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones 9 rpcbind Disabled or Enabled Based on Drivers 10 To Enable rpcbind 10 iii

4 Using TCP Wrappers 11 TCP Wrappers Configuration for secure.driver 12 TCP Wrappers Configuration for server-secure.driver 12 TCP Wrappers Configuration for suncluster3x-secure.driver 12 TCP Wrappers Configuration for sunfire_15k_sc-secure.driver 13 Defining Environment Variables 13 Earlier Solaris Security Toolkit Versions 13 Solaris Security Toolkit Framework Functions 15 Customizing Framework Functions 15 Using Common Log Functions 17 logbanner 18 logdebug 19 logerror 19 logfailure 20 logfilecontentsexist and logfilecontentsnotexist 20 logfileexists and logfilenotexists 21 logfilegroupmatch and logfilegroupnomatch 22 logfilemodematch and logfilemodenomatch 22 logfilenotfound 23 logfileownermatch and logfileownernomatch 24 logfiletypematch and logfiletypenomatch 25 iv Solaris Security Toolkit 4.2 Reference Manual July 2005

5 logfinding 26 logformattedmessage 27 loginvaliddisablemode 27 loginvalidosrevision 28 logmessage 28 lognotglobalzone 29 lognotice 29 logpackageexists and logpackagenotexists 30 logpatchexists and logpatchnotexists 30 logprocessargsmatch and logprocessargsnomatch 31 logprocessexists and logprocessnotexists 32 logprocessnotfound 32 logscore 33 logscriptfailure 33 logserviceconfigexists and logserviceconfignotexists 34 logservicedisabled and logserviceenabled 34 logserviceinstalled and logservicenotinstalled 35 logserviceoptiondisabled and logserviceoptionenabled 36 logserviceprocesslist 36 logservicepropdisabled and logservicepropenabled 37 logservicerunning and logservicenotrunning 37 logstartscriptexists and logstartscriptnotexists 38 logstopscriptexists and logstopscriptnotexists 39 logsuccess 39 Contents v

6 logsummary 40 loguserlocked and logusernotlocked 40 logundobackupwarning 41 logwarning 41 Using Common Miscellaneous Functions 42 adjustscore 42 checklogstatus 43 clean_path 43 extractcomments 44 get_driver_report 44 get_lists_conjunction 44 get_lists_disjunction 45 invalidvulnval 45 isnumeric 46 printpretty 46 printprettypath 46 strip_path 47 Using Driver Functions 47 add_crontab_entry_if_missing 48 add_option_to_ftpd_property 49 add_patch 50 add_pkg 50 add_to_manifest 51 backup_file 53 backup_file_in_safe_directory 54 change_group 54 change_mode 54 change_owner 55 vi Solaris Security Toolkit 4.2 Reference Manual July 2005

7 check_and_log_change_needed 55 check_os_min_version 56 check_os_revision 57 check_readonlymounted 58 checksum 58 convert_inetd_service_to_frmi 58 copy_a_dir 59 copy_a_file 59 copy_a_symlink 59 copy_files 60 create_a_file 62 create_file_timestamp 63 disable_conf_file 63 disable_file 63 disable_rc_file 64 disable_service 65 enable_service 65 find_sst_run_with 65 get_expanded_file_name 66 get_stored_keyword_val 66 get_users_with_retries_set 67 is_patch_applied and is_patch_not_applied 67 is_service_enabled 68 is_service_installed 68 is_service_running 69 is_user_account_extant 69 is_user_account_locked 70 is_user_account_login_not_set 70 Contents vii

8 is_user_account_passworded 71 lock_user_account 71 make_link 71 mkdir_dashp 72 move_a_file 72 rm_pkg 73 set_service_property_value 73 set_stored_keyword_val 73 unlock_user_account 74 update_inetconv_in_upgrade 74 warn_on_default_files 75 write_val_to_file 75 Using Audit Functions 76 check_filecontentsexist and check_filecontentsnotexist 77 check_fileexists and check_filenotexists 77 check_filegroupmatch and check_filegroupnomatch 78 check_filemodematch and check_filemodenomatch 79 check_fileownermatch and check_fileownernomatch 80 check_filetemplate 80 check_filetypematch and check_filetypenomatch 81 check_if_crontab_entry_present 82 check_keyword_value_pair 82 check_minimized 83 check_minimized_service 83 viii Solaris Security Toolkit 4.2 Reference Manual July 2005

9 check_packageexists and check_packagenotexists 84 check_patchexists and check_patchnotexists 85 check_processargsmatch and check_processargsnomatch 85 check_processexists and check_processnotexists 86 check_serviceconfigexists and check_serviceconfignotexists 87 check_servicedisabled and check_serviceenabled 87 check_serviceinstalled and check_servicenotinstalled 88 check_serviceoptionenabled and check_serviceoptiondisabled 88 check_servicepropdisabled 89 check_servicerunning and check_servicenotrunning 89 check_startscriptexists and check_startscriptnotexists 89 check_stopscriptexists and check_stopscriptnotexists 90 check_userlocked and check_usernotlocked 91 finish_audit 91 get_cmdfromservice 91 start_audit File Templates 93 Customizing File Templates 93 To Customize a File Template 94 Understanding Criteria for How Files Are Copied 95 Contents ix

10 Using Configuration Files 96 driver.init 97 finish.init 97 user.init.sample 98 To Add a New Variable to the user.init script 99 To Append Entries to Variables Using the user.init File 100 Using File Templates 100.cshrc 101.profile 102 etc/default/sendmail 102 etc/dt/config/xaccess 102 etc/ftpd/banner.msg 103 etc/hosts.allow and etc/hosts.deny 103 etc/hosts.allow-15k_sc 104 etc/hosts.allow-server 104 etc/hosts.allow-suncluster 104 etc/init.d/nddconfig 105 etc/init.d/set-tmp-permissions 105 etc/init.d/sms_arpconfig 105 etc/init.d/swapadd 105 etc/issue and etc/motd 106 etc/notrouter 106 etc/opt/ipf/ipf.conf 106 etc/opt/ipf/ipf.conf-15k_sc 106 etc/opt/ipf/ipf.conf-server 107 etc/rc2.d/s00set-tmp-permissions and etc/rc2.d/s07set-tmp-permissions 107 etc/rc2.d/s70nddconfig 107 x Solaris Security Toolkit 4.2 Reference Manual July 2005

11 etc/rc2.d/s73sms_arpconfig 108 etc/rc2.d/s77swapadd 108 etc/security/audit_control 108 etc/security/audit_class+5.8 and etc/security/audit_event etc/security/audit_class+5.9 and etc/security/audit_event etc/sms_domain_arp and /etc/sms_sc_arp 109 etc/syslog.conf 109 root/.cshrc 110 root/.profile 110 var/opt/sunwjass/bart/rules 110 var/opt/sunwjass/bart/rules-secure Drivers 113 Understanding Driver Functions and Processes 113 Load Functionality Files 114 Perform Basic Checks 115 Load User Functionality Overrides 115 Mount File Systems to JumpStart Client 115 Copy or Audit Files 116 Execute Scripts 116 Compute Total Score for the Run 117 Unmount File Systems From JumpStart Client 117 Customizing Drivers 118 To Customize a Driver 119 Using Standard Drivers 122 config.driver 122 hardening.driver 123 Contents xi

12 secure.driver 126 Using Product-Specific Drivers 127 server-secure.driver 128 suncluster3x-secure.driver 128 sunfire_15k_sc-secure.driver Finish Scripts 131 Customizing Finish Scripts 131 Customize Existing Finish Scripts 132 To Customize a Finish Script 132 Prevent kill Scripts From Being Disabled 134 Create New Finish Scripts 134 Using Standard Finish Scripts 137 Disable Finish Scripts 138 disable-ab2.fin 139 disable-apache.fin 139 disable-apache2.fin 139 disable-appserv.fin 140 disable-asppp.fin 140 disable-autoinst.fin 140 disable-automount.fin 141 disable-dhcp.fin 141 disable-directory.fin 141 disable-dmi.fin 142 disable-dtlogin.fin 142 disable-face-log.fin 142 disable-iiim.fin 143 disable-ipv6.fin 143 disable-kdc.fin 143 xii Solaris Security Toolkit 4.2 Reference Manual July 2005

13 disable-keyboard-abort.fin 144 disable-keyserv-uid-nobody.fin 144 disable-ldap-client.fin 144 disable-lp.fin 145 disable-mipagent.fin 145 disable-named.fin 145 disable-nfs-client.fin 145 disable-nfs-server.fin 146 disable-nscd-caching.fin 146 disable-picld.fin 147 disable-power-mgmt.fin 147 disable-ppp.fin 147 disable-preserve.fin 148 disable-remote-root-login.fin 148 disable-rhosts.fin 148 disable-routing.fin 148 disable-rpc.fin 149 disable-samba.fin 149 disable-sendmail.fin 149 disable-slp.fin 150 disable-sma.fin 150 disable-snmp.fin 150 disable-spc.fin 151 disable-ssh-root-login.fin 151 disable-syslogd-listen.fin 151 disable-system-accounts.fin. 152 disable-uucp.fin 152 disable-vold.fin 152 Contents xiii

14 disable-wbem.fin 153 disable-xfs-fin 153 disable-xserver.listen.fin 153 Enable Finish Scripts 153 enable-account-lockout.fin 154 enable-bart.fin 154 enable-bsm.fin 156 enable-coreadm.fin 156 enable-ftpaccess.fin 157 enable-ftp-syslog.fin 157 enable-inetd-syslog.fin 157 enable-ipfilter.fin 158 enable-password-history.fin 159 enable-priv-nfs-ports.fin 160 enable-process-accounting.fin 160 enable-rfc1948.fin 160 enable-stack-protection.fin 161 enable-tcpwrappers.fin 161 Install Finish Scripts 162 install-at-allow.fin 162 install-fix-modes.fin 163 install-ftpusers.fin 163 install-jass.fin 163 install-loginlog.fin 164 install-md5.fin 164 install-nddconfig.fin 164 install-newaliases.fin 164 install-openssh.fin 165 xiv Solaris Security Toolkit 4.2 Reference Manual July 2005

15 install-recommended-patches.fin 165 install-sadmind-options.fin 165 install-security-mode.fin 165 install-shells.fin 166 install-strong-permissions.fin 166 install-sulog.fin 166 install-templates.fin 167 Print Finish Scripts 167 print-jass-environment.fin 167 print-jumpstart-environment.fin 167 print-rhosts.fin 168 print-sgid-files.fin 168 print-suid-files.fin 168 print-unowned-objects.fin 168 print-world-writable-objects.fin 168 Remove Finish Script 169 remove-unneeded-accounts.fin 169 Set Finish Scripts 169 set-banner-dtlogin.fin 170 set-banner-ftpd.fin 170 set-banner-sendmail.fin 170 set-banner-sshd.fin 171 set-banner-telnet.fin 171 set-flexible-crypt.fin 171 set-ftpd-umask.fin 172 set-login-retries.fin 173 set-power-restrictions.fin 173 set-rmmount-nosuid.fin 173 Contents xv

16 set-root-group.fin 174 set-root-home-dir.fin 174 set-root-password.fin 175 set-strict-password-checks.fin 175 set-sys-suspend-restrictions.fin 175 set-system-umask.fin 176 set-term-type.fin 176 set-tmpfs-limit.fin 176 set-user-password-reqs.fin 176 set-user-umask.fin 177 Update Finish Scripts 177 update-at-deny.fin 178 update-cron-allow.fin 178 update-cron-deny.fin 178 update-cron-log-size.fin 178 update-inetd-conf.fin 179 Using Product-Specific Finish Scripts 179 suncluster3x-set-nsswitch-conf.fin 180 s15k-static-arp.fin 180 s15k-exclude-domains.fin 180 s15k-sms-secure-failover.fin Audit Scripts 183 Customizing Audit Scripts 183 Customize Standard Audit Scripts 183 To Customize An Audit Script 184 Create New Audit Scripts 187 Using Standard Audit Scripts 187 Disable Audit Scripts 188 xvi Solaris Security Toolkit 4.2 Reference Manual July 2005

17 disable-ab2.aud 189 disable-apache.aud 189 disable-apache2.aud 189 disable-appserv.aud 190 disable-asppp.aud 190 disable-autoinst.aud 190 disable-automount.aud 190 disable-dhcpd.aud 191 disable-directory.aud 191 disable-dmi.aud 191 disable-dtlogin.aud 191 disable-face-log.aud 192 disable-iiim.aud 192 disable-ipv6.aud 192 disable-kdc.aud 192 disable-keyboard-abort.aud 193 disable-keyserv-uid-nobody.aud 193 disable-ldap-client.aud 193 disable-lp.aud 193 disable-mipagent.aud 194 disable-named.aud 194 disable-nfs-client.aud 194 disable-nfs-server.aud 194 disable-nscd-caching.aud 195 disable-picld.aud 195 disable-power-mgmt.aud 195 disable-ppp.aud 195 disable-preserve.aud 195 Contents xvii

18 disable-remote-root-login.aud 196 disable-rhosts.aud 196 disable-routing.aud 196 disable-rpc.aud 196 disable-samba.aud 197 disable-sendmail.aud 197 disable-slp.aud 198 disable-sma.aud 198 disable-snmp.aud 198 disable-spc.aud 198 disable-ssh-root-login.aud 199 disable-syslogd-listen.aud 199 disable-system-accounts.aud 199 disable-uucp.aud 199 disable-vold.aud 200 disable-wbem.aud 200 disable-xfs.aud 200 disable-xserver.listen.aud 200 Enable Audit Scripts 201 enable-account-lockout.aud 201 enable-bart.aud 201 enable-bsm.aud 202 enable-coreadm.aud 202 enable-ftp-syslog.aud 202 enable-ftpaccess.aud 203 enable-inetd-syslog.aud 203 enable-ipfilter.aud 203 enable-password-history.aud 204 xviii Solaris Security Toolkit 4.2 Reference Manual July 2005

19 enable-priv-nfs-ports.aud 204 enable-process-accounting.aud 204 enable-rfc1948.aud 204 enable-stack-protection.aud 205 enable-tcpwrappers.aud 205 Install Audit Scripts 205 install-at-allow.aud 206 install-fix-modes.aud 206 install-ftpusers.aud 206 install-jass.aud 206 install-loginlog.aud 207 install-md5.aud 207 install-nddconfig.aud 207 install-newaliases.aud 207 install-openssh.aud 208 install-recommended-patches.aud 208 install-sadmind-options.aud 208 install-security-mode.aud 208 install-shells.aud 209 install-strong-permissions.aud 209 install-sulog.aud 210 install-templates.aud 210 Print Audit Scripts 210 print-jass-environment.aud 210 print-jumpstart-environment.aud 210 print-rhosts.aud 211 print-sgid-files.aud 211 print-suid-files.aud 211 Contents xix

20 print-unowned-objects.aud 211 print-world-writable-objects.aud 211 Remove Audit Script 211 remove-unneeded-accounts.aud 212 Set Audit Scripts 212 set-banner-dtlogin.aud 212 set-banner-ftpd.aud 213 set-banner-sendmail.aud 213 set-banner-sshd.aud 213 set-banner-telnet.aud 213 set-flexible-crypt.aud 214 set-ftpd-umask.aud 214 set-login-retries.aud 214 set-power-restrictions.aud 214 set-rmmount-nosuid.aud 215 set-root-group.aud 215 set-root-home-dir.aud 215 set-root-password.aud 215 set-strict-password-checks.aud 216 set-sys-suspend-restrictions.aud 216 set-system-umask.aud 216 set-term-type.aud 216 set-tmpfs-limit.aud 216 set-user-password-reqs.aud 217 set-user-umask.aud 217 Update Audit Scripts 217 update-at-deny.aud 218 update-cron-allow.aud 218 xx Solaris Security Toolkit 4.2 Reference Manual July 2005

21 update-cron-deny.aud 218 update-cron-log-size.aud 219 update-inetd-conf.aud 219 Using Product-Specific Audit Scripts 220 suncluster3x-set-nsswitch-conf.aud 220 s15k-static-arp.aud 221 s15k-exclude-domains.aud 221 s15k-sms-secure-failover.aud Environment Variables 223 Customizing and Assigning Variables 223 Assigning Static Variables 224 Assigning Dynamic Variables 225 Assigning Complex Substitution Variables 225 Assigning Global and Profile-Based Variables 227 Creating Environment Variables 227 Using Environment Variables 228 Defining Framework Variables 229 JASS_AUDIT_DIR 231 JASS_CHECK_MINIMIZED 231 JASS_CONFIG_DIR 231 JASS_DISABLE_MODE 232 JASS_DISPLAY_HOST_LENGTH 232 JASS_DISPLAY_HOSTNAME 233 JASS_DISPLAY_SCRIPT_LENGTH 233 JASS_DISPLAY_SCRIPTNAME 233 JASS_DISPLAY_TIME_LENGTH 233 JASS_DISPLAY_TIMESTAMP 234 JASS_FILE_COPY_KEYWORD 234 Contents xxi

22 JASS_FILES 234 JASS_FILES_DIR 237 JASS_FINISH_DIR 238 JASS_HOME_DIR 238 JASS_HOSTNAME 238 JASS_ISA_CAPABILITY 238 JASS_LOG_BANNER 239 JASS_LOG_ERROR 239 JASS_LOG_FAILURE 239 JASS_LOG_NOTICE 240 JASS_LOG_SUCCESS 240 JASS_LOG_SUMMARY 240 JASS_LOG_WARNING 240 JASS_MODE 241 JASS_OS_REVISION 241 JASS_OS_TYPE 241 JASS_PACKAGE_DIR 242 JASS_PATCH_DIR 242 JASS_PKG 242 JASS_REPOSITORY 242 JASS_ROOT_DIR 243 JASS_ROOT_HOME_DIR 243 JASS_RUN_AUDIT_LOG 243 JASS_RUN_CHECKSUM 244 JASS_RUN_CLEAN_LOG 244 JASS_RUN_FINISH_LIST 245 JASS_RUN_INSTALL_LOG 245 JASS_RUN_MANIFEST 245 xxii Solaris Security Toolkit 4.2 Reference Manual July 2005

23 JASS_RUN_SCRIPT_LIST 245 JASS_RUN_UNDO_LOG 246 JASS_RUN_VALUES 246 JASS_RUN_VERSION 246 JASS_SAVE_BACKUP 247 JASS_SCRIPT 247 JASS_SCRIPT_ERROR_LOG 247 JASS_SCRIPT_FAIL_LOG 248 JASS_SCRIPT_NOTE_LOG 248 JASS_SCRIPT_WARN_LOG 248 JASS_SCRIPTS 248 JASS_STANDALONE 250 JASS_SUFFIX 250 JASS_TIMESTAMP 251 JASS_UNAME 251 JASS_UNDO_TYPE 251 JASS_USER_DIR 252 JASS_VERBOSITY 252 JASS_VERSION 253 JASS_ZONE_NAME 254 Define Script Behavior Variables 254 JASS_ACCT_DISABLE 256 JASS_ACCT_REMOVE 257 JASS_AGING_MAXWEEKS 257 JASS_AGING_MINWEEKS 257 JASS_AGING_WARNWEEKS 257 JASS_AT_ALLOW 258 JASS_AT_DENY 258 Contents xxiii

24 JASS_BANNER_DTLOGIN 259 JASS_BANNER_FTPD 259 JASS_BANNER_SENDMAIL 259 JASS_BANNER_SSHD 259 JASS_BANNER_TELNETD 260 JASS_CORE_PATTERN 260 JASS_CPR_MGT_USER 260 JASS_CRON_ALLOW 260 JASS_CRON_DENY 261 JASS_CRON_LOG_SIZE 261 JASS_CRYPT_ALGORITHMS_ALLOW 262 JASS_CRYPT_DEFAULT 262 JASS_CRYPT_FORCE_EXPIRE 262 JASS_FIXMODES_DIR 262 JASS_FIXMODES_OPTIONS 263 JASS_FTPD_UMASK 263 JASS_FTPUSERS 263 JASS_KILL_SCRIPT_DISABLE 264 JASS_LOGIN_RETRIES 264 JASS_MD5_DIR 264 JASS_NOVICE_USER 265 JASS_PASS_ Environment Variables 265 JASS_PASS_DICTIONDBDIR 265 JASS_PASS_DICTIONLIST 265 JASS_PASS_HISTORY 266 JASS_PASS_LENGTH 266 JASS_PASS_MAXREPEATS 266 JASS_PASS_MINALPHA 266 xxiv Solaris Security Toolkit 4.2 Reference Manual July 2005

25 JASS_PASS_MINDIFF 267 JASS_PASS_MINDIGIT 267 JASS_PASS_MINLOWER 268 JASS_PASS_MINNONALPHA 268 JASS_PASS_MINSPECIAL 268 JASS_PASS_MINUPPER 269 JASS_PASS_NAMECHECK 269 JASS_PASS_WHITESPACE 269 JASS_PASSWD 270 JASS_POWER_MGT_USER 270 JASS_REC_PATCH_OPTIONS 270 JASS_RHOSTS_FILE 270 JASS_ROOT_GROUP 271 JASS_ROOT_PASSWORD 271 JASS_SADMIND_OPTIONS 271 JASS_SENDMAIL_MODE 272 JASS_SGID_FILE 272 JASS_SHELLS 272 JASS_SUID_FILE 273 JASS_SUSPEND_PERMS 273 JASS_SVCS_DISABLE 274 JASS_SVCS_ENABLE 275 JASS_TMPFS_SIZE 276 JASS_UMASK 276 JASS_UNOWNED_FILE 276 JASS_WRITABLE_FILE 276 Define JumpStart Mode Variables 277 JASS_PACKAGE_MOUNT 277 Contents xxv

26 JASS_PATCH_MOUNT 278 Glossary 279 Index 287 xxvi Solaris Security Toolkit 4.2 Reference Manual July 2005

27 Tables TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface 3 TABLE 1-2 Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services 4 TABLE 1-3 Solaris Security Toolkit Scripts Not Used for Solaris 10 6 TABLE 1-4 Solaris Security Toolkit 4.2 Zone-Aware Finish and Audit Scripts 9 TABLE 2-1 File Types Detected by Using the check_filetypematch Function 25 TABLE 2-2 Options for add_patch Finish Script Function 50 TABLE 2-3 Options for add_pkg Function 50 TABLE 2-4 add_to_manifest Options and Sample Manifest Entries 52 TABLE 2-5 create_a_file Command Options 62 TABLE 2-6 rm_pkg Function Options 73 TABLE 2-7 File Types Detected by the check_filetypematch Function 81 TABLE 4-1 Product-Specific Drivers 127 TABLE 5-1 Product-Specific Finish Scripts 179 TABLE 6-1 List of Shells Defined by JASS_SHELLS 209 TABLE 6-2 Sample Output of JASS_SVCS_DISABLE 219 TABLE 6-3 Product-Specific Audit Scripts 220 TABLE 7-1 Supporting OS Versions in the JASS_FILES Variable 235 TABLE 7-2 Supporting OS Versions in the JASS_SCRIPTS Variable 249 TABLE 7-3 Verbosity Levels for Audit Runs 253 xxvii

28 xxviii Solaris Security Toolkit 4.2 Reference Manual July 2005

29 Code Samples CODE EXAMPLE 1-1 Hardening a Non-Global Zone 8 CODE EXAMPLE 1-2 TCP Wrappers Configuration for secure.driver in Solaris 10 OS 12 CODE EXAMPLE 1-3 TCP Wrappers Configuration for server-secure.driver in Solaris 10 OS 12 CODE EXAMPLE 1-4 TCP Wrappers Configuration for suncluster3x-secure.driver in Solaris 10 OS 12 CODE EXAMPLE 1-5 TCP Wrappers Configuration for sunfire_15k_sc-secure.driver in Solaris 10 OS 13 CODE EXAMPLE 2-1 Extending Functionality by Customizing the Framework 16 CODE EXAMPLE 2-2 Sample Banner Message 18 CODE EXAMPLE 2-3 Detecting Functionality That Exists in Multiple OS Releases 56 CODE EXAMPLE 2-4 Checking for a Specific OS Revision or Range 57 CODE EXAMPLE 2-5 Checksum Output From MD5 in Solaris 10 OS 58 CODE EXAMPLE 3-1 Adding a User-Defined Variable 99 CODE EXAMPLE 3-2 Appending Entries to Variables Using user.init File 100 CODE EXAMPLE 4-1 Creating a Nested or Hierarchical Security Profile 121 CODE EXAMPLE 4-2 Having a Driver Implement Its Own Functionality 121 CODE EXAMPLE 4-3 Exempt From config.driver 123 CODE EXAMPLE 4-4 secure.driver Contents 126 CODE EXAMPLE 5-1 Sample install-openssh.fin Script 133 CODE EXAMPLE 5-2 Default BART rules-secure File 155 CODE EXAMPLE 5-3 Default BART rules File 155 CODE EXAMPLE 5-4 secure.driver Default IP Filter Rules File 158 xxix

30 CODE EXAMPLE 5-5 server-secure.driver Default IP Filter Rules File 158 CODE EXAMPLE 5-6 sunfire_15k_sc-secure.driver Default IP Filter Rules File 159 CODE EXAMPLE 5-7 Password Encryption Tunables for Solaris Security Toolkit Drivers 172 CODE EXAMPLE 6-1 Sample install-openssh.aud Script 185 CODE EXAMPLE 7-1 Variable Assignment Based on OS Version 226 CODE EXAMPLE 7-2 Adding rlogin to JASS_SVCS_ENABLE list 275 xxx Solaris Security Toolkit 4.2 Reference Manual July 2005

31 Preface This Solaris Security Toolkit 4.2 Reference Manual contains reference information for understanding and using the internals of the Solaris Security Toolkit software. This manual is primarily intended for persons who use the Solaris Security Toolkit software to secure Solaris Operating System (OS) versions through 10, such as administrators, consultants, and others, who are deploying new Sun systems or securing deployed systems. The instructions apply to using the software in either its JumpStart mode or stand-alone mode. Following are terms used in this manual that are important to understand: Hardening Modifying Solaris OS configurations to improve a system s security. Auditing Determining if a system s configuration is in compliance with a predefined security profile. Scoring Counting the number of failures uncovered during an audit run. If no failures (of any kind) are found, then the resulting score is 0. The Solaris Security Toolkit increments the score (also known as a vulnerability value) by 1 whenever a failure is detected. Before You Read This Book You should be a Sun Certified System Administrator for Solaris or Sun Certified Network Administrator for Solaris. You should also have an understanding of standard network protocols and topologies. Because this book is designed to be useful to people with varying degrees of experience or knowledge of security, your experience and knowledge will determine how you use this book. xxxi

32 How This Book Is Organized This manual contains reference information about the software components and is structured as follows: Chapter 1 is an introduction to how to use Solaris Security Toolkit 4.2 software with the Solaris 10 OS. Chapter 2 provides reference information for using, adding, modifying, and removing framework functions. Framework functions provide flexibility for you to change the behavior of the Solaris Security Toolkit software without modifying source code. Chapter 3 provides reference information about for using, modifying, and customizing the file templates included in the Solaris Security Toolkit software. Chapter 4 provides reference information about using, adding, modifying, and removing drivers. This chapter describes the drivers used by the Solaris Security Toolkit software to harden, minimize, and audit Solaris OS systems. Chapter 5 provides reference information about using, adding, modifying, and removing finish scripts. This chapter describes the scripts used by the Solaris Security Toolkit software to harden and minimize Solaris OS systems. Chapter 6 provides reference information for using, adding, modifying, and removing audit scripts. Chapter 7 provides reference information about using environment variables. This chapter describes all of the variables used by the Solaris Security Toolkit software and provides tips and techniques for customizing their values. Using UNIX Commands This document might not contain information on basic UNIX commands and procedures such as shutting down the system, booting the system, and configuring devices. Refer to the following for this information: Software documentation that you received with your system Solaris Operating System documentation, which is at xxxii Solaris Security Toolkit 4.2 Reference Manual July 2005

33 Shell Prompts Shell Prompt C shell machine-name% C shell superuser machine-name# Bourne shell and Korn shell $ Bourne shell and Korn shell superuser # Typographic Conventions Typeface 1 AaBbCc123 AaBbCc123 AaBbCc123 Meaning The names of commands, files, and directories; on-screen computer output What you type, when contrasted with on-screen computer output Book titles, new words or terms, words to be emphasized. Replace command-line variables with real names or values. Examples Edit your.login file. Use ls -a to list all files. % You have mail. % su Password: Read Chapter 6 in the User s Guide. These are called class options. You must be superuser to do this. To delete a file, type rm filename. 1 The settings on your browser might differ from these settings. Using Generic Terms for Hardware Models Sun Fire high-end systems refers to these model numbers: E25K E20K Preface xxxiii

34 15K 12K Sun Fire midrange systems refer to these model numbers: E6900 E Sun Fire entry-level midrange systems refer to these model numbers: E2900 Netra 1280 V1280 V890 V880 V490 V480 Supported Hardware Systems Solaris Security Toolkit 4.2 software supports SPARC, 64-bit only, and x86 systems. Supported Solaris OS Versions Sun support for Solaris Security Toolkit software is available only for its use in the Solaris 8, Solaris 9, and Solaris 10 Operating Systems. Note For Solaris Security Toolkit 4.2 software, Solaris 10 can be used only on Sun Fire high-end systems domains, not on the system controller (SC). While the software can be used in the Solaris 2.5.1, Solaris 2.6, and Solaris 7 Operating Systems, Sun support is not available for its use in those operating systems. xxxiv Solaris Security Toolkit 4.2 Reference Manual July 2005

35 The Solaris Security Toolkit software automatically detects which version of the Solaris Operating System software is installed, then runs tasks appropriate for that operating system version. Note in examples provided throughout this document that when a script checks for a version of the OS, it checks for 5.x, the SunOS versions, instead of 2.x, 7, 8, 9, or 10, the Solaris OS versions. TABLE P-1 shows the correlation between SunOS and Solaris OS versions. TABLE P-1 Correlation Between SunOS and Solaris OS Versions SunOS Version Solaris OS Version Supported SMS Versions If you are using System Management Services (SMS) to run the system controller (SC) on your Sun Fire high-end systems, then Solaris Security Toolkit 4.2 software is supported on all Solaris 8 and 9 OS versions when used with SMS versions 1.3, 1.4.1, and 1.5. No version of SMS is supported on Solaris 10 OS with Solaris Security Toolkit 4.2 software. Note For Solaris Security Toolkit 4.2 software, Solaris 10 can be used only on domains, not on the system controller (SC). Preface xxxv

36 Related Documentation The documents listed as online are available at: Software/enterprise_computing/systems_management/sst/index.html Application Title Part Number Format Location Release Notes Solaris Security Toolkit 4.2 Release Notes PDF HTML Administration Solaris Security Toolkit 4.2 Administration Guide PDF HTML Online Online Man Pages Solaris Security Toolkit 4.2 Man Page Guide PDF Online Documentation, Support, and Training Sun Function URL Description Documentation Download PDF and HTML documents, and order printed documents Support Obtain technical support and download patches Training Learn about Sun courses Third-Party Web Sites Sun is not responsible for the availability of third-party web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources. xxxvi Solaris Security Toolkit 4.2 Reference Manual July 2005

37 Sun Welcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions. You can submit your comments by going to: Please include the title and part number of your document with your feedback: Solaris Security Toolkit 4.2 Reference Manual, part number Preface xxxvii

38 xxxviii Solaris Security Toolkit 4.2 Reference Manual July 2005

39 CHAPTER 1 Introduction to Solaris 10 Operating System Support One of the main purposes of the Solaris Security Toolkit 4.2 software release is to provide support for the Solaris 10 Operating System. The Solaris Security Toolkit 4.2 software provides support for new Solaris 10 OS security features, such as the Service Management Facility (SMF), TCP Wrappers, IP Filter, and other features. Refer to the Solaris Security Toolkit 4.2 Release Notes for a complete list of new features. Using the Solaris Security Toolkit 4.2 software, you can harden and audit the security of systems in a similar manner as earlier versions. You can also use this release of software either in JumpStart or standalone mode, as in earlier versions. Using Perl With Solaris Security Toolkit 4.2 Software The Practical Extraction and Report Language (Perl) is delivered with the Solaris 10 OS. If you are creating scripts for use with the Solaris 10 OS, you can use Perl in your scripts, even in JumpStart mode. Versions of the Solaris OS earlier than 10 might not have Perl available during JumpStart or included in the Solaris OS distribution. Ensure that Perl is available in your target environment before you write a script which requires it. Many security-conscious users do remove Perl from their systems, so you also should be aware of that possibility. The Solaris Security Toolkit attempts to use Perl if is installed on the system during the audit performed by the set-flexible-crypt.aud script (see setflexible-crypt.aud on page 214). If Perl is not installed on the system, the script issues an error. 1

40 SMF and Legacy Services on Solaris 10 OS Some of the services under the Internet services daemon (inetd) control that you might want to put in a list to enable or disable are converted to the Service Management Facility and use Fault Management Resource Identifiers (FMRIs), and some services under inetd control are not converted. SMF-Ready Services If you want to create lists of SMF-ready services under inetd control to enable or disable, use JASS_SVCS_ENABLE or JASS_SVCS_DISABLE. The JASS_SVCS_DISABLE script disables all services on the list that are SMF ready and that are installed on the system. TABLE 1-1 lists those Solaris Security Toolkit scripts that are SMF ready. Note The lists of SMF-ready services are valid only for the Solaris 10 Operating System. Legacy Services If you want to create lists of legacy, or unconverted, services under inetd control to enable or disable, you can use JASS_SVCS_ENABLE or JASS_SVCS_DISABLE in the same manner you have been using them in earlier versions of the toolkit. TABLE 1-2 lists those Solaris Security Toolkit scripts that are not converted and, therefore, SMF recognizes as legacy services. See JASS_SVCS_DISABLE on page 274 and JASS_SVCS_ENABLE on page 275 for more information. If you are using the Solaris 10 Operating System, the JASS_SVCS_DISABLE script disables all services listed on the JASS_SVCS_DISABLE list if they are in the inetd.conf file. Therefore, if a service was valid for the Solaris 9 Operating System under inetd, but no longer uses the inetd.conf file for the Solaris 10 Operating System, modifying the JASS_SVCS_DISABLE environment variable makes no changes to that service. The Solaris Security Toolkit issues a warning message if either the JASS_SVCS_ENABLE or JASS_SVCS_DISABLE environment variable contains either an FMRI or an inetd service name which does not exist on the system. 2 Solaris Security Toolkit 4.2 Reference Manual July 2005

41 Scripts That Use the SMF-Ready Services Interface TABLE 1-1 lists the Solaris Security Toolkit scripts that use the SMF-ready services interface, their Fault Management Resource Identifiers (FMRIs), and the start or stop scripts used for the Solaris 9 OS. TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface Script Name Fault Management Resource Identifier (FMRI) Start/Stop Script for Solaris 9 OS disable-apache2 1 svc:/network/ None disable-automount svc:/system/filesystem/autofs: default /etc/rc2.d/s74autofs disable-dhcpd svc:/network/dhcp-server:default /etc/rc3.d/s24dhcp disable-kdc svc:/network/security/krb5kdc:de fault /etc/rd3.d/s13kdc.master /etc/rd3.d/s14kdc disable-ldap-client svc:/network/ldap/client:default /etc/rc2.d/s71dap.client disable-lp svc:/application/print/server: default svc:/application/print/ipplistener:default svc:/application/print/rfc1179: default /etc/rc2.d/s80lp disable-named svc:/network/dns/server:default /etc/named.boot disable-nfs-client svc:/network/nfs/client:default svc:/network/nfs/status:default svc:/network/nfs/nlocmgr:default /etc/rc2.d/s73nfs.client disable-nfs-server svc:/network/nfs/server:default /etc/rc3.d/s15nfs disable-power-mgmt svc:/system/power:default /etc/rc2.d/s85power disable-rpc disable-sendmail svc:/network/rpc/bind:default svc:/network/rpc/keyserv:default svc:/network/smtp/sendmail: default /etc/rc2.d/s71rpc /etc/rc2.d/s99sendmail disable-slp svc:/network/slp:default /etc/rc2.d/s72slpd disable-spc svc:/application/print/cleanup: default /etc/rc2.d/s80spc Chapter 1 Introduction to Solaris 10 Operating System Support 3

42 TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface (Continued) Script Name Fault Management Resource Identifier (FMRI) Start/Stop Script for Solaris 9 OS disable-ssh-root-login svc:/network/ssh:default Use pkginfo -q -r SUNWsshdr disable-uucp svc:/network/uucp:default /etc/rc2.d/s70uucp enable-ftpaccess svc:/network/ftp:default /etc/inet/inetd.conf enable-inetd-syslog svc:/network/inetd:default /etc/default/inetd enable-tcpwrappers svc:/network/inetd:default /etc/default/inetd install-ftpusers svc:/network/ftp:default Use pkginfo -q -R SUNWftpr set-banner-ftpd svc:/network/ftp:default Use pkginfo -q -R SUNWsshdr set-banner-sshd svc:/network/ssh:default Use pkginfo -q -R SUNWftpr set-ftpd-unmask svc:/network/ftp:default Use pkginfo -q -r SUNWftpr 1 Solaris 10 only Scripts That SMF Recognizes as Legacy Services TABLE 1-2 lists the Solaris Security Toolkit scripts that are not SMF ready, but that SMF recognizes as legacy services. Although the legacy services can be represented in FMRI format, SMF does not have the ability to enable or disable them. TABLE 1-2 Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services Script Name Fault Management Resource Identifier (FMRI) disable-apache disable-appserv disable-autoinst disable-directory disable-dmi disable-dtlogin disable-iiim disable-mipagent lrc:/etc/rc3_d/s50apache lrc:/etc/rc2_d/s84appserv lrc:/etc/rc2_d/s72autoinstall lrc:/etc/rc2_d/s72directory lrc:/etc/rc3_d/s77dmi lrc:/etc/rc2_d/s99dtlogin lrc:/etc/rc2_d/s95iiim lrc:/etc/rc3_d/s80mipagent 4 Solaris Security Toolkit 4.2 Reference Manual July 2005

43 TABLE 1-2 Script Name Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services (Continued) Fault Management Resource Identifier (FMRI) disable-ppp disable-preserve disable-samba disable-snmp disable-uucp disable-vold disable-wbem set-banner-dtlogin lrc:/etc/rc2_d/s47pppd lrc:/etc/rc2_d/s89preserve lrc:/etc/rc3_d/s90samba lrc:/etc/rc3_d/s76snmpdx lrc:/etc/rc2_d/s70uucp lrc:/etc/rc3_d/s81volmgt lrc:/etc/rc2_d/s90wbem lrc:/etc/rc2_d/s99dtlogin New Scripts for Solaris Security Toolkit 4.2 Release Following are new scripts for the Solaris Security Toolkit 4.2 release: disable-apache2.{fin aud} disable-appserv.{fin aud} disable-iiim.{fin aud} disable-routing.{fin aud} enable-account-lockout.{fin aud} enable-bart.{fin aud} enable-ipfilter.{fin aud} enable-password-history.{fin aud} set-root-home-dir.{fin aud} set-strict-password-checks.{fin aud} The functions of finish (.fin) scripts are explained in Chapter 5, and the functions of audit (.aud) scripts are explained in Chapter 6. Chapter 1 Introduction to Solaris 10 Operating System Support 5

44 Scripts Not Used for Solaris 10 TABLE 1-3 lists the Solaris Security Toolkit Scripts that are not used when you are hardening the Solaris 10 Operating System. TABLE 1-3 Solaris Security Toolkit Scripts Not Used for Solaris 10 Script Name Applicable Operating System disable-ab2 Solaris through 8 disable-aspp Solaris through 8 disable-picld Solaris 8 and 9 install-fix-modes Solaris through 9 install-newaliases Solaris through 8 install-openssh Solaris through 8 install-sadmind-options Solaris through 9 install-strong-permissions Solaris through 9 remove-unneeded-accounts Solaris through 9 Environment Variables Not Used for Solaris 10 The following environment variables are not used for the Solaris 10 Operating System: JASS_ISA_CAPABILITY (removed from Solaris Security Toolkit 4.2 software) JASS_DISABLE_MODE 6 Solaris Security Toolkit 4.2 Reference Manual July 2005

45 Using Solaris 10 OS Zones The Solaris Security Toolkit 4.2 software can be used to harden a zone, or Sun Network One (N1) grid container, for systems using the Solaris 10 OS. All Solaris Security Toolkit profiles (hardening, audit, and undo) function in Solaris 10 zones in the same manner as in non-zoned systems for the most part. Any differences are noted in this section. Sequence Matters in Hardening Global and Non- Global Zones If the global zone has been hardened before the non-global zone (NGZ) is installed, certain modifications made by the Solaris Security Toolkit 4.2 software are carried into the new zone, but many others are not. To ensure that a newly created zone is properly secured, the Solaris Security Toolkit 4.2 software should be applied in both hardening and audit modes immediately after the zone s installation. Once a nonglobal zone is installed, hardening and unhardening in the global zone does not effect the NGZ, and vice versa. Harden a Non-Global Zone From Within That Zone Caution Because of security risks, you should never access a non-global zone file system from outside that zone. A path that is not dangerous in a non-global zone can be dangerous in the global zone. For example, a non-global zone administrator can link the /etc/shadow file to the../../../shadow file. Inside the non-global zone, this is harmless, but modifications to the file from the global zone, using the path /opt/testzone/etc/shadow, would edit the global zone s /etc/passwd file. Again, a non-global zone should never be hardened, undone, cleaned, or even audited unless you are logged into that zone. Chapter 1 Introduction to Solaris 10 Operating System Support 7

46 If your Solaris Security Toolkit 4.2 installation is in the standard /opt/sunwjass directory, you can harden a zone by using the Solaris 10 OS zlogin(1) command to log in to, or enter, that zone to run the Solaris Security Toolkit. CODE EXAMPLE 1-1 Hardening a Non-Global Zone # zlogin myzone /opt/sunwjass/bin/jass-execute -d my.driver The variable myzone is your non-global zone, and the variable my.driver is the name of the driver you are using. Some Scripts Are Not Relevant to Non-Global Zones Some of the Solaris Security Toolkit scripts are not relevant to a non-global zone; for example, those that modify kernel parameters using /etc/system. When these scripts are run in a non-global zone, the scripts log the fact that they are not required for a non-global zone as a [NOTE]. If you are writing your own script, you might want to use the lognotglobalzone function (see lognotglobalzone on page 29) to issue such a message in a standard way. To test whether or not you are in a non-global zone in a Solaris Security Toolkit script, you can check the Solaris Security Toolkit 4.2 environment variable JASS_ZONE_NAME to see if it contains global. This variable is set to global in OS versions prior to the Solaris 10 OS. For more information about the variable, see JASS_ZONE_NAME on page 254. Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones Running processes, installed software, and the configurations of non-global zones are audited separately from those of the global zone. For example, an audit of an NGZ, which detected an unauthorized process running, would trigger an NGZ audit failure, not a global zone audit failure. Similarly, when a global zone is audited, any security violations detected would generate global zone security violations, not NGZ violations. The only overlap between a global and non-global zone audit occurs during a BART review of the global zone. File systems of the NGZ are mounted on the global zone and might be reviewed by the BART manifest files included in the Solaris Security Toolkit. When reviewing these NGZ file systems from the global zone, security 8 Solaris Security Toolkit 4.2 Reference Manual July 2005

47 violations relevant to the NGZ might be reported on the global zone. To avoid this situation, ensure that any NGZ file systems mounted on the global zone are excluded from the BART manifest file. Zone-Aware Finish and Audit Scripts Toolkit scripts that are not to be run in a zone because of insufficient privileges for operation, check to see if they are in the global zone using the environment variable JASS_ZONE_NAME (see JASS_ZONE_NAME on page 254). If the Solaris Security Toolkit scripts are not running in the global zone, the scripts log that information with the lognotglobalzone function and finish. TABLE 1-4 lists the Finish and Audit scripts that are zone aware. TABLE 1-4 Solaris Security Toolkit 4.2 Zone-Aware Finish and Audit Scripts Base Script Name Reason for Zone Awareness Zone Behavior disable-power-mgmt Power functions cannot be used in a zone. log enable-bsm Zones cannot enable BSM, although they can use BSM. Before you can enable the ability to use BSM in a NGZ, you first must enable the ability to use BSM in the global zone. enable-ipfilter Zones cannot change IP Filter. log enable-priv-ngs-ports Zones cannot be NFS servers. log enable-rfc1948 Zones cannot affect the /dev/ip stack. log enable-stack-protection Zones cannot change the kernel parameters. log install-nddconfig Zones cannot affect the /dev/ip stack. log install-security-mode Zones cannot access the EEPROM. log log Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones Some Solaris Security Toolkit scripts that are zone aware, such as enable-bsm.fin, might require actions to be taken in the global zone prior to their full use in a nonglobal zone. If you run such scripts without taking these actions, you are prompted and given instructions to take the required actions to make full use of these capabilities. In other words, some actions require a kernel module to work. In this case, you need to load the module from the global zone, and then you can use it in the non-global zone. Until you do that, the actions are not performed. Chapter 1 Introduction to Solaris 10 Operating System Support 9

48 rpcbind Disabled or Enabled Based on Drivers In the Solaris 10 Operating System, there are services which depend on rpcbind such as the Fault Manager Daemon (FMD), Network Information Services (NIS), the Network File System (NFS), and window managers, such as Common Desktop Environment (CDE) and GNU Network Object Model Environment (GNOME). The Solaris Security Toolkit 4.2 software either disables or enables rpcbind based on the driver as follows: secure.driver: rpcbind disabled by default server-secure.driver: rpcbind enabled by default suncluster3x-secure.driver: rpcbind enabled by default sunfire_15k_sc-secure.driver: rpcbind disabled by default You might need to configure rpcbind to start manually, depending on your system s configuration. Refer to the Solaris 10 OS Administration documentation for details on how to use SMF. rpcbind in the Solaris 10 OS uses TCP Wrappers and the uses of both are closely related. See Using TCP Wrappers on page 11 for details on how each of the drivers auto-configure TCP Wrappers. To Enable rpcbind 1. Unharden the system. 2. Verify that rpcbind is running by using the pgrep command. # pgrep rpcbind process-id Use the following form of the pgrep command for systems running the Solaris 10 OS where you have a global zone with child zones, so that you do not receive child zone processes. # pgrep -z zone-name rpcbind process-id If you receive a process-id you know that rpcbind is running. 10 Solaris Security Toolkit 4.2 Reference Manual July 2005